kube_cluster 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44abda9fe549953b96a2cb47130457c4c48632f7b15de95b908e5f0f086cd50d
-  data.tar.gz: b8684b9dc96998ae588ae180709fb2921e9123744dd307c0115566b4a0e3ce0d
+  metadata.gz: f6b2fcc6e1de8c59841b080e8150aa249d84fc064f4eab2e981be9ded9dc2290
+  data.tar.gz: 1a55810edfb5809b44699e2a17984b9f0311257aba52796da6b74e293ce3a9d0
 SHA512:
-  metadata.gz: 8a864cbc779ac254833255e5b747c4e892d38c99328726f6e5f2f10829329918e6952d8370c440fd8821bf3875a4c2d4b3fc43174d387549375bbbfc4bb99794
-  data.tar.gz: a5435a7443624ba54d4fec5ae93d29cf426a7e5e9c14b160b0d1c925f960d8cb832f50c07962c05039ffcfcdc4a2e581f3bb8b49c4b393307f3dfba286cac989
+  metadata.gz: b64081cec15ce53b3a80effecba8f2ae3ec43ee58d1dc483196a821f37a4d6aa0aabbdd3d21e5df7eb5208cbd8bdbcf1aefbf82a9911733795b5ad4689c2c62e
+  data.tar.gz: ef610d9b33d6907a92f69c077080a8f26ffd6a1e2f2e391b9f54564187b6799af2e275b2f9f6cb3b056f3f9b3952b964921692a2d4456ee5ee7af229b209ac0c

data/.github/workflows/release.yml

@@ -0,0 +1,43 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+
+
+
+  build-and-push-gem:
+    uses: ./.github/workflows/build-and-push-gem.yml
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit
+
+
+
+  github-release:
+
+    needs: [build-and-push-gem]
+
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: release/
+          merge-multiple: true
+
+      - name: Consolidate checksums
+        run: |
+          cd release
+          cat SHA256SUMS-linux-*.txt > SHA256SUMS.txt
+          rm SHA256SUMS-linux-*.txt
+
+      - uses: softprops/action-gh-release@v2
+        with:
+          files: release/*
+          generate_release_notes: true

data/.github/workflows/tag-gem-version-bump.yml

@@ -0,0 +1,47 @@
+name: Auto-tag on version bump
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  tag:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+
+      - name: Read version from gemspec
+        id: read
+        run: |
+          version=$(ruby -e '
+            spec = Gem::Specification.load(Dir["*.gemspec"].first)
+            puts spec.version
+          ')
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Check if tag exists
+        id: check
+        run: |
+          tag="v${{ steps.read.outputs.version }}"
+          if git rev-parse "$tag" >/dev/null 2>&1; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create and push tag
+        if: steps.check.outputs.exists == 'false'
+        run: |
+          tag="v${{ steps.read.outputs.version }}"
+          git config user.name  "Nathan K"
+          git config user.email "nathankidd@hey.com"
+          git tag -a "$tag" -m "Release $tag"
+          git push origin "$tag"

data/.gitignore

@@ -1,6 +1,8 @@
 *.gem
+.direnv
 /.bundle/
 /coverage/
 /pkg/
 /tmp/
 /vendor/bundle
+/kubeconfig.yaml

data/Gemfile.lock

@@ -1,52 +1,75 @@
 PATH
   remote: .
   specs:
-    kube_cluster (0.1.1)
-      kube_schema (~> 1.0)
+    kube_cluster (0.2.0)
+      kube_kit (> 0)
+      kube_kubectl (~> 2.0.0)
+      kube_schema (~> 1.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.9)
-      public_suffix (>= 2.0.2, < 8.0)
     ast (2.4.3)
-    bigdecimal (4.0.1)
+    bigdecimal (4.1.2)
     black_hole_struct (0.1.3)
+    date (3.5.1)
+    debug (1.11.1)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
+    erb (6.0.3)
     hana (1.3.7)
-    json (2.19.2)
-    json-schema (6.2.0)
-      addressable (~> 2.8)
-      bigdecimal (>= 3.1, < 5)
+    io-console (0.8.2)
+    irb (1.17.0)
+      pp (>= 0.6.0)
+      prism (>= 1.3.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.19.3)
     json_schemer (2.5.0)
       bigdecimal
       hana (~> 1.3)
       regexp_parser (~> 2.0)
       simpleidn (~> 0.2)
-    kube_schema (1.0.0)
+    kube_kit (0.2.0)
+    kube_kubectl (2.0.1)
+      debug (~> 1.11)
+      json_schemer (~> 2.5)
+      rubyshell (~> 1.5)
+      shellwords (~> 0.2.2)
+      string_builder (~> 1.2.0)
+    kube_schema (1.2.1)
       black_hole_struct (~> 0.1)
       json_schemer (~> 2.5)
       rubyshell (~> 1.5)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
-    mcp (0.8.0)
-      json-schema (>= 4.1)
     minitest (5.27.0)
-    parallel (1.27.0)
-    parser (3.3.10.2)
+    parallel (2.0.1)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
+    pp (0.6.3)
+      prettyprint
+    prettyprint (0.2.0)
     prism (1.9.0)
-    public_suffix (7.0.5)
+    psych (5.3.1)
+      date
+      stringio
     racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.3.1)
-    regexp_parser (2.11.3)
-    rubocop (1.85.1)
+    rake (13.4.2)
+    rdoc (7.2.0)
+      erb
+      psych (>= 4.0.0)
+      tsort
+    regexp_parser (2.12.0)
+    reline (0.6.3)
+      io-console (~> 0.5)
+    rubocop (1.86.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
-      mcp (~> 0.6)
-      parallel (~> 1.10)
+      parallel (>= 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
@@ -58,7 +81,11 @@ GEM
       prism (~> 1.7)
     ruby-progressbar (1.13.0)
     rubyshell (1.5.0)
+    shellwords (0.2.2)
     simpleidn (0.2.3)
+    string_builder (1.2.0)
+    stringio (3.2.0)
+    tsort (0.2.0)
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
     unicode-emoji (4.2.0)
@@ -73,36 +100,5 @@ DEPENDENCIES
   rake (~> 13.0)
   rubocop (~> 1.21)
 
-CHECKSUMS
-  addressable (2.8.9) sha256=cc154fcbe689711808a43601dee7b980238ce54368d23e127421753e46895485
-  ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
-  bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
-  black_hole_struct (0.1.3) sha256=b1cac7dbe7f36bb3ed8372de656dbe140ad20d786aaace552c5706f7aa46c4a3
-  hana (1.3.7) sha256=5425db42d651fea08859811c29d20446f16af196308162894db208cac5ce9b0d
-  json (2.19.2) sha256=e7e1bd318b2c37c4ceee2444841c86539bc462e81f40d134cf97826cb14e83cf
-  json-schema (6.2.0) sha256=e8bff46ed845a22c1ab2bd0d7eccf831c01fe23bb3920caa4c74db4306813666
-  json_schemer (2.5.0) sha256=2f01fb4cce721a4e08dd068fc2030cffd0702a7f333f1ea2be6e8991f00ae396
-  kube_cluster (0.1.1)
-  kube_schema (1.0.0) sha256=a83e584b316f21492fe551231f22cf3e7439fd6f1df6f3769c24d66ab040dc6e
-  language_server-protocol (3.17.0.5) sha256=fd1e39a51a28bf3eec959379985a72e296e9f9acfce46f6a79d31ca8760803cc
-  lint_roller (1.1.0) sha256=2c0c845b632a7d172cb849cc90c1bce937a28c5c8ccccb50dfd46a485003cc87
-  mcp (0.8.0) sha256=ae8bd146bb8e168852866fd26f805f52744f6326afb3211e073f78a95e0c34fb
-  minitest (5.27.0) sha256=2d3b17f8a36fe7801c1adcffdbc38233b938eb0b4966e97a6739055a45fa77d5
-  parallel (1.27.0) sha256=4ac151e1806b755fb4e2dc2332cbf0e54f2e24ba821ff2d3dcf86bf6dc4ae130
-  parser (3.3.10.2) sha256=6f60c84aa4bdcedb6d1a2434b738fe8a8136807b6adc8f7f53b97da9bc4e9357
-  prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
-  public_suffix (7.0.5) sha256=1a8bb08f1bbea19228d3bed6e5ed908d1cb4f7c2726d18bd9cadf60bc676f623
-  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
-  rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
-  rake (13.3.1) sha256=8c9e89d09f66a26a01264e7e3480ec0607f0c497a861ef16063604b1b08eb19c
-  regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
-  rubocop (1.85.1) sha256=3dbcf9e961baa4c376eeeb2a03913dca5e3987033b04d38fa538aa1e7406cc77
-  rubocop-ast (1.49.1) sha256=4412f3ee70f6fe4546cc489548e0f6fcf76cafcfa80fa03af67098ffed755035
-  ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
-  rubyshell (1.5.0) sha256=ffd528415962e52b2f3ec155fc3bc2cac401981413c0db451ea2a20194916ab6
-  simpleidn (0.2.3) sha256=08ce96f03fa1605286be22651ba0fc9c0b2d6272c9b27a260bc88be05b0d2c29
-  unicode-display_width (3.2.0) sha256=0cdd96b5681a5949cdbc2c55e7b420facae74c4aaf9a9815eee1087cb1853c42
-  unicode-emoji (4.2.0) sha256=519e69150f75652e40bf736106cfbc8f0f73aa3fb6a65afe62fefa7f80b0f80f
-
 BUNDLED WITH
-  4.0.7
+   2.6.9

data/bin/console

@@ -5,4 +5,7 @@ require "bundler/setup"
 require "kube/cluster"
 require "irb"
 
+GEM_HOME = File.expand_path('..', __dir__)
+ENV["KUBECONFIG"] = File.join(GEM_HOME, "kubeconfig.yaml")
+
 IRB.start(__FILE__)

data/bin/dev

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+docker compose up -d
+

data/docker-compose.yml

@@ -0,0 +1,26 @@
+# to run define K3S_TOKEN, K3S_VERSION is optional, eg:
+#   K3S_TOKEN=${RANDOM}${RANDOM}${RANDOM} docker-compose up
+services:
+  server:
+    image: "rancher/k3s:latest"
+    command: server
+    tmpfs:
+      - /run
+      - /var/run
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 65535
+        hard: 65535
+    privileged: true
+    restart: always
+    environment:
+      - K3S_TOKEN=change-me-or-face-the-consequences
+      - K3S_KUBECONFIG_OUTPUT=/output/kubeconfig.yaml
+      - K3S_KUBECONFIG_MODE=666
+    volumes:
+      - .:/output
+    ports:
+      - 6443:6443  # Kubernetes API Server
+      - 80:80      # Ingress controller port 80
+      - 443:443    # Ingress controller port 443

data/examples/01-basic-redis-pod/manifest.rb

@@ -0,0 +1,60 @@
+require "bundler/setup"
+require "kube/schema"
+
+class RedisPod < Kube::Schema['Pod']
+  def initialize(container_name: 'my-redis-container', **options, &block)
+    super {
+      spec.containers = [
+        {
+          name: container_name,
+          image: 'redis:8.0.2',
+
+          command: ["redis-server", "/redis-master/redis.conf"],
+          env:     [{name: 'MASTER', value: "true"}],
+          ports:   [{ containerPort: 6379 }],
+
+          resources: { limits: { cpu: "0.1" } },
+          volumeMounts: [
+            { mountPath: '/redis-master-data', name: 'data' },
+            { mountPath: '/redis-master', name: 'config' },
+          ]
+        }
+      ]
+
+      spec.volumes = [
+        {
+          name: 'data',
+          emptyDir: {}
+        },
+        {
+          name: 'config',
+          configMap: {
+            name: 'example-redis-config',
+            items: [ { key: 'redis-config', path: 'redis.conf' } ]
+          }
+        },
+      ]
+    }
+    instance_exec(&block) if block_given?
+  end
+end
+
+puts RedisPod.new(
+  container_name: 'my-redis-container-1',
+  metadata: {
+    namespace: 'my-namespace'
+  }
+).to_yaml
+
+puts RedisPod.new(container_name: 'my-redis-container-1') {
+  metadata.namespace = 'my-namespace'
+}.to_yaml
+
+puts RedisPod.new {
+  metadata.namespace = "my-namespace"
+}.to_yaml
+
+puts RedisPod.new {
+  metadata.name = "my-redis-1"
+  metadata.namespace = "my-namespace"
+}.to_yaml

data/examples/database/manifest.rb

@@ -0,0 +1,238 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# Database (PostgreSQL) Example
+#
+# Demonstrates the Ruby equivalents of Bitnami common chart patterns:
+#   - Secret lifecycle management (_secrets.tpl)
+#   - StorageClass resolution (_storage.tpl)
+#   - StatefulSet with persistent volumes
+#   - Headless service for stable DNS
+#   - NetworkPolicy for database isolation
+#   - Standard labels and naming (_labels.tpl, _names.tpl)
+#   - Resource presets (_resources.tpl)
+#
+# Usage:
+#   ruby examples/database/manifest.rb
+#   ruby examples/database/manifest.rb > database.yaml
+
+require "kube/schema"
+require "securerandom"
+
+# ── Naming ────────────────────────────────────────────────────────────────────
+
+APP_NAME      = "postgresql"
+RELEASE_NAME  = "my-release"
+NAMESPACE     = "database"
+FULLNAME      = "#{RELEASE_NAME}-#{APP_NAME}"[0, 63].chomp("-")
+
+# ── Labels ────────────────────────────────────────────────────────────────────
+
+STANDARD_LABELS = {
+  "app.kubernetes.io/name": APP_NAME,
+  "app.kubernetes.io/instance": RELEASE_NAME,
+  "app.kubernetes.io/version": "16.4.0",
+  "app.kubernetes.io/component": "primary",
+  "app.kubernetes.io/managed-by": "kube_cluster",
+}
+
+MATCH_LABELS = STANDARD_LABELS.slice(
+  :"app.kubernetes.io/name",
+  :"app.kubernetes.io/instance",
+  :"app.kubernetes.io/component",
+)
+
+# ── Secrets (from _secrets.tpl) ───────────────────────────────────────────────
+# Bitnami's secrets.passwords.manage generates random passwords, reuses existing
+# ones on upgrade, and base64 encodes them. In Ruby we do this directly.
+
+POSTGRES_PASSWORD = SecureRandom.alphanumeric(24)
+REPLICATION_PASSWORD = SecureRandom.alphanumeric(24)
+
+def base64(str)
+  [str].pack("m0")
+end
+
+# ── Storage (from _storage.tpl) ───────────────────────────────────────────────
+# Bitnami resolves storage class from global > persistence > default.
+# The "-" convention means explicitly use the default storage class (empty string).
+
+STORAGE_CLASS = "standard" # set to "-" for default, or nil to omit
+STORAGE_SIZE  = "10Gi"
+
+# ── Resource presets ──────────────────────────────────────────────────────────
+
+RESOURCES = {
+  requests: { cpu: "500m",  memory: "512Mi"  },
+  limits:   { cpu: "750m",  memory: "768Mi"  },
+}
+
+# ── Build manifests ───────────────────────────────────────────────────────────
+
+manifest = Kube::Schema::Manifest.new
+
+# -- Namespace --
+
+manifest << Kube::Schema["Namespace"].new {
+  metadata.name   = NAMESPACE
+  metadata.labels = STANDARD_LABELS.reject { |k, _| k == :"app.kubernetes.io/component" }
+}
+
+# -- Secret --
+# Pattern from _secrets.tpl: base64-encoded credentials, separate keys for
+# each password, supports existing secret reuse on upgrade.
+
+manifest << Kube::Schema["Secret"].new {
+  metadata.name      = FULLNAME
+  metadata.namespace  = NAMESPACE
+  metadata.labels     = STANDARD_LABELS
+  self.type = "Opaque"
+  self.data = {
+    "postgres-password":    base64(POSTGRES_PASSWORD),
+    "replication-password": base64(REPLICATION_PASSWORD),
+  }
+}
+
+# -- Headless Service (for StatefulSet stable DNS) --
+
+manifest << Kube::Schema["Service"].new {
+  metadata.name      = "#{FULLNAME}-headless"
+  metadata.namespace  = NAMESPACE
+  metadata.labels     = STANDARD_LABELS
+
+  spec.clusterIP = "None"
+  spec.selector  = MATCH_LABELS
+  spec.ports = [
+    { name: "tcp-postgresql", port: 5432, targetPort: "tcp-postgresql" },
+  ]
+}
+
+# -- Primary Service (for client connections) --
+
+manifest << Kube::Schema["Service"].new {
+  metadata.name      = FULLNAME
+  metadata.namespace  = NAMESPACE
+  metadata.labels     = STANDARD_LABELS
+
+  spec.selector = MATCH_LABELS
+  spec.ports = [
+    { name: "tcp-postgresql", port: 5432, targetPort: "tcp-postgresql" },
+  ]
+}
+
+# -- StatefulSet --
+# Uses storage class resolution pattern, secret references, resource presets,
+# pod anti-affinity for spreading replicas.
+
+manifest << Kube::Schema["StatefulSet"].new {
+  metadata.name      = FULLNAME
+  metadata.namespace  = NAMESPACE
+  metadata.labels     = STANDARD_LABELS
+
+  spec.serviceName = "#{FULLNAME}-headless"
+  spec.replicas    = 1
+  spec.selector.matchLabels = MATCH_LABELS
+
+  spec.template.metadata.labels = STANDARD_LABELS
+  spec.template.spec.containers = [
+    {
+      name:  APP_NAME,
+      image: "docker.io/postgres:16.4-alpine",
+      ports: [
+        { name: "tcp-postgresql", containerPort: 5432 },
+      ],
+      resources: RESOURCES,
+      env: [
+        { name: "POSTGRES_PASSWORD", valueFrom: { secretKeyRef: { name: FULLNAME, key: "postgres-password" } } },
+        { name: "PGDATA", value: "/var/lib/postgresql/data/pgdata" },
+      ],
+      volumeMounts: [
+        { name: "data", mountPath: "/var/lib/postgresql/data" },
+      ],
+      livenessProbe: {
+        exec: { command: ["pg_isready", "-U", "postgres"] },
+        initialDelaySeconds: 30,
+        periodSeconds: 10,
+        timeoutSeconds: 5,
+        failureThreshold: 6,
+      },
+      readinessProbe: {
+        exec: { command: ["pg_isready", "-U", "postgres"] },
+        initialDelaySeconds: 5,
+        periodSeconds: 10,
+        timeoutSeconds: 5,
+        failureThreshold: 6,
+      },
+    },
+  ]
+
+  # Pod anti-affinity: hard anti-affinity to guarantee one pod per node
+  # (from _affinities.tpl: common.affinities.pods.hard)
+  spec.template.spec.affinity = {
+    podAntiAffinity: {
+      requiredDuringSchedulingIgnoredDuringExecution: [
+        {
+          labelSelector: { matchLabels: MATCH_LABELS },
+          topologyKey: "kubernetes.io/hostname",
+        },
+      ],
+    },
+  }
+
+  # Storage class resolution (from _storage.tpl)
+  storage_class = STORAGE_CLASS == "-" ? "" : STORAGE_CLASS
+
+  spec.volumeClaimTemplates = [
+    {
+      metadata: { name: "data" },
+      spec: {
+        accessModes: ["ReadWriteOnce"],
+        storageClassName: storage_class,
+        resources: { requests: { storage: STORAGE_SIZE } },
+      },
+    },
+  ]
+}
+
+# -- NetworkPolicy --
+# Isolate the database: only allow ingress from pods with the app label,
+# deny everything else. This is a common production hardening pattern.
+
+manifest << Kube::Schema["NetworkPolicy"].new {
+  metadata.name      = FULLNAME
+  metadata.namespace  = NAMESPACE
+  metadata.labels     = STANDARD_LABELS
+
+  spec.podSelector = { matchLabels: MATCH_LABELS }
+  spec.policyTypes = ["Ingress", "Egress"]
+  spec.ingress = [
+    {
+      from: [
+        {
+          podSelector: {
+            matchLabels: { "app.kubernetes.io/name": "web-app" },
+          },
+        },
+      ],
+      ports: [
+        { protocol: "TCP", port: "5432" },
+      ],
+    },
+  ]
+  # Allow DNS egress + nothing else
+  spec.egress = [
+    {
+      to: [
+        { namespaceSelector: {} },
+      ],
+      ports: [
+        { protocol: "UDP", port: "53" },
+        { protocol: "TCP", port: "53" },
+      ],
+    },
+  ]
+}
+
+# ── Render ────────────────────────────────────────────────────────────────────
+
+puts manifest.to_yaml

data/examples/version2/demo.rb

@@ -0,0 +1,87 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# Middleware-driven Manifest Example
+#
+# Demonstrates how middleware eliminates boilerplate. The middleware stack
+# declared in MyApp automatically generates Services, Ingresses, HPAs,
+# and injects resource limits, security contexts, and pod anti-affinity.
+#
+# The block below only declares the unique intent — the things only a
+# human knows. Everything else is derived by middleware from labels.
+#
+# What middleware generates from each Deployment:
+#   - Service           (from container ports + matchLabels)
+#   - Ingress           (from app.kubernetes.io/expose label)
+#   - HPA               (from app.kubernetes.io/autoscale label)
+#   - Resource limits   (from app.kubernetes.io/size label)
+#   - Security contexts (restricted profile, all pod-bearing resources)
+#   - Pod anti-affinity (spread across nodes, all pod-bearing resources)
+#   - Standard labels   (managed-by, merged into everything)
+#
+# Usage:
+#   ruby examples/version2/demo.rb
+#   ruby examples/version2/demo.rb > app.yaml
+
+require "kube/cluster"
+require "securerandom"
+require_relative "my_app"
+
+app = MyApp.new("example.com", size: :small) do |m|
+  name    = "rails-app"
+  ns      = "production"
+  db_name = "postgresql"
+  db_ns   = "database"
+
+  labels    = m.app_labels(name: name, instance: name)
+  db_labels = m.app_labels(name: db_name, instance: db_name, component: "primary")
+  db_match  = m.match_labels(name: db_name, instance: db_name, component: "primary")
+
+  # ── Rails tier ──────────────────────────────────────────────────
+  #
+  # One Namespace, one ConfigMap, one Deployment.
+  # Middleware generates: Service, Ingress, HPA
+  # Middleware injects:   resource limits, security context, anti-affinity, labels
+
+  [
+    Kube::Schema["Namespace"].new {
+      metadata.name   = ns
+      metadata.labels = labels
+    },
+
+    Kube::Schema["ConfigMap"].new {
+      metadata.name      = "#{name}-config"
+      metadata.namespace = ns
+      metadata.labels    = labels
+      self.data = {
+        RAILS_ENV:    "production",
+        DATABASE_URL: "postgres://#{db_name}-headless.#{db_ns}.svc.cluster.local:5432/app",
+        LOG_LEVEL:    "info",
+        WORKERS:      "4",
+      }
+    },
+
+    RubyOnRails.new {
+      metadata.name      = name
+      metadata.namespace = ns
+      metadata.labels    = labels.merge(
+        "app.kubernetes.io/expose":    "app.example.com",
+        "app.kubernetes.io/autoscale": "1-5",
+      )
+    },
+  ]
+
+  # ── Database tier ───────────────────────────────────────────────
+  #
+  # StatefulSet + headless Service + Secret + NetworkPolicy.
+  # Middleware generates: Service (from container ports)
+  # Middleware injects:   resource limits, security context, anti-affinity, labels
+
+  pg_password = SecureRandom.alphanumeric(24)
+
+  Postgresql.new {
+  }
+
+end
+
+puts app.to_yaml